Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 28 Jul 2015 08:27:23 -0700
From: Grant Murphy <grant.murphy@...com>
To: oss-security@...ts.openwall.com
Subject: [OSSA 2015-013] Glance task flow may fail to delete image from
 backend (CVE-2015-3289)

=====================================================================
OSSA-2015-013: Glance task flow may fail to delete image from backend
=====================================================================

:Date: July 28, 2015
:CVE: CVE-2015-3289


Affects
~~~~~~~
- Glance: versions 2015.1.0


Description
~~~~~~~~~~~
Abhishek Kekane from NTT reported a vulnerability in Glance. By
creating numerous images using the import task flow API and deleting
them, an authenticated attacker may accumulate untracked image data in
the backend resulting in potential resource exhaustion and denial of
service. All glance setups are affected.


Patches
~~~~~~~
- https://review.openstack.org/#/c/181816/ (Kilo)
- https://review.openstack.org/#/c/181345/ (Liberty)


Credits
~~~~~~~
- Abhishek Kekane from NTT (CVE-2015-3289)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1454087
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3289


Notes
~~~~~
- This fix will be included in the future 2015.1.1 (kilo) release.

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.